[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
Hi Scott,
<snip>
> No, actually I'm referring to stability, analyzability, and other
> security characteristics. Adding more complexity and states
> to IKE makes
> it harder to analyze, and more susceptible to a variety of attacks.
> There are a number of people better qualified to discuss this
> than I am
> who might want to jump in here...
>
<snip>
I see, sorry for the confusion. Please disregard my comments about reducing
the entropy.
I don't see how XAUTH complicates IKE to a level where IKE might become
unstable. IKE simply goes from Phase1 - Phase2, to Phase1 - XAUTH - Phase2.
The only other solution to the problem I've heard is Phase1 - Phase2(but
only special phase2's destined to Authentication servers) - Phase2. This
seems even more complicated to me. Not to mention it seems easier to make a
configuration / implementation mistake here.
Once again, sorry for the confusion.
Stephane.